Map it!! Join this initiative! Take Back the Tech – PHThe call to document is a call to bear witness. It is to make the invisible visible. Take Back the Tech! calls women and girls to take control of technology to tell our own stories, create our own testimonies, represent ourselves and shape our own narratives about the violence that women and girls face all over the world.

State of Surveillance in the Philippines

The Philippines has a total population of over 100 million people[1] and was estimated to reach 101.6 million in 2015. The country had a national internet penetration figure of around 40 % in 2014.[2] Overall, 45 million people are active Internet users,[3] while 32 million are active mobile internet users.[4] The country ranks first in terms of average number of hours 6.3 hours spent using the internet per day, using a laptop or desktop, according to one study.[5] When access is through a mobile device, Filipinos spend on average 3.3 hours online per day.[6] This is still considered high considering the global median of 2.7 hours. The annual growth in the number of active Internet users was at 10 % between 2013 and 2014.[7These statistics are surprising given that the country’s average Internet connection speed is 2.5MBPs — well below the global average of 4.5MBPs.[8]

There were 102 million mobile connections in the country in 2012.[9] Set against the national population, the mobile connection rate is at 114 %.[10] Of these, 96 % are pre-paid connections, with remaining 4 % as post-paid connections.[11] 42 % of mobile connections are broadband (3G and 4G).[12]

Facebook had over 30 million accounts from the Philippines in 2013. [16] Filipino social media users spend an average of 4.3 hours (or 4 hours and 15 minutes) per day on social media (on any device).[17]

LEGAL LANDSCAPE

International conventions on privacy and human rights in general

The Philippines government is a signatory to a number of international human rights instruments. These include:

the Universal Declaration of Human Rights (UDHR);

the International Covenant on Civil and Political Rights (ICCPR);

the International Covenant on Economic, Social and Cultural Rights (ICESCR); and

the International Convention on the Elimination of All Forms of Racial Discrimination.

Constitution

Communications surveillance is embodied or dealt with in various laws and rules, mostly involving penal statutes or otherwise bearing upon the privacy of communication (or communication privacy) which is a distinct species of privacy recognized in Philippine jurisprudence. Mapping out the legal regime on communications surveillance in the Philippines necessarily includes the legal regime on communication privacy. Under this premise, the following survey proceeds to trace the definition, treatment and regulation of communications surveillance in Philippine law.

The term “communications surveillance” is not (yet) defined in Philippine law. Nonetheless, it is generally regarded as an act or activity that is proscribed or restricted by law. Such conception is derived from the express recognition of “the privacy of communication and correspondence” in the Bill of Rights or Article III of the 1987 Philippine Constitution.[18] Under Section 3 of the Philippine Charter, communication privacy is inviolable except upon lawful order of the court, or when public safety or order, by law, requires otherwise. A violation of this tenet renders any evidence obtained thereby inadmissible for any purpose.

Interception and surveillance

The protection of (the privacy of) correspondence is echoed in international human rights instruments like the Universal Declaration of Human Rights[19] and the International Convention on Civil and Political Rights[20] (ratified by the Philippines in 1986), which form part of Philippine law by virtue of the doctrine of incorporation.[21] Being considered a human right, communication privacy would then fall within the ambit of the Constitution’s declaration that “the State values the dignity of every human person and guarantees full respect for human rights”.[22]

Communications surveillance, to the extent that it impinges on communications and its attendant rights, may also be limited by the Constitutional provision that directs the State to “provide the policy environment for… the emergence of communication structures suitable to the needs and aspirations of the nation and the balanced flow of information into, out of, and across the country, in accordance with a policy that respects the freedom of speech and of the press”.[23]

Outside the principles and policy pronouncements in the Constitution, communications surveillance is tackled, explicitly or implicitly, in several statutes or Republic Acts (RA)[24] that provide a cause of action or remedies for breaches of privacy.

Under the Civil Code of the Philippines[RA 386 (1949)], anyone who “obstructs, defeats, violates or in any manner impedes or impairs” the privacy of communication and correspondence is liable for damages.[25]

Elsewhere, communications surveillance may be penalized as a felony or crime. Article 290 of the Revised Penal Code [Act No. 3815 (1930)] punishes any person who seizes the papers or letters of another in order to discover his/her secrets.[26] Under the Electronics Engineering Law of 2004 [RA 9292], any registered electronics engineer or technician may be punished with a fine and/or imprisonment for involvement in “illegal wire-tapping, cloning, hacking, cracking, piracy and/or other forms of unauthorized and malicious electronic eavesdropping and/or the use of any electronic devices in violation of the privacy of another or in disregard of the privilege of private communications”.[27]

The Anti-Wiretapping Act of 1965 [RA 4200, entitled “An Act to Prohibit and Penalize Wire Tapping and other Related Violations of the Privacy of Communication, and for other Purposes”] prohibits and penalises wire tapping done by any person to secretly overhear, intercept, or record any private communication or spoken word of another person or persons without the authorisation of all the parties to the communication.[28] Those who knowingly possess, replay, or communicate recordings of wiretapped communications,[29] as well as those who aid or permit wiretapping,[30] are likewise held liable. However, RA 4200 provides an exception for instances where a law enforcement officer is authorized by a written order of the Court to perform wire-tapping “in cases involving the crimes of treason, espionage, provoking war and disloyalty in case of war, piracy, mutiny in the high seas, rebellion, conspiracy and proposal to commit rebellion, inciting to rebellion, sedition, conspiracy to commit sedition, inciting to sedition, kidnapping as defined by the Revised Penal Code, and violations of Commonwealth Act No. 616, punishing espionage and other offenses against national security,” provided that a number of stringent requirements are complied with.[31]

On the other hand, in other statutes, communications surveillance is ostensibly sanctioned as a legitimate law enforcement activity. The Expanded Anti-Trafficking in Persons Act of 2012 [RA 9208, as amended by RA 10364] expressly mandates the Philippine National Police (PNP) and National Bureau of Investigation (NBI) to be the primary law enforcement agencies “to undertake surveillance, investigation and arrest of individuals or persons suspected to be engaged in trafficking”.[32]

The Human Security Act of 2007 [RA 9372], entitled “An Act to Secure the State and Protect our People from Terrorism”, explicitly allows the surveillance of terrorism suspects and interception and recording of communications “between members of a judicially declared and outlawed terrorist organization, association, or group of persons or of any person charged with or suspected of the crime of terrorism or conspiracy to commit terrorism” upon a written order of the Court of Appeals,[33] even as it declares that in its implementation “the State shall uphold the basic rights and fundamental liberties of the people as enshrined in the Constitution”.[34] Similar to, if not more stringent than, the Anti-Wire-Tapping Act, this law mandates compliance with many requirements, from applying for judicial authorization to the deposit and disposition of intercepted and recorded materials.[35] The Human Security Act also prohibits “the surveillance, interception and recording of communications between lawyers and clients, doctors and patients, journalists and their sources and confidential business correspondence”.[36]

The Anti-Child Pornography Act of 2009 [RA 9775] may be read as effectively facilitating communications surveillance by internet service providers (ISPs) – private entities – since this law requires ISPs, under pain of penalty, to: (1) notify the PNP or the NBI of facts and circumstances indicating that any form of child pornography is being committed using its server, (2) preserve evidence of the same for purpose of investigation and prosecution, and (3) install software to ensure that access to or transmittal of any form of child pornography will be blocked or filtered.[37] Ironically, the same provision states that “[n]othing in this section may be construed to require an ISP to engage in the monitoring of any user, subscriber or customer, or the content of any communication of any such person”.[38]

Cybercrime

The Cybercrime Prevention Act of 2012 [RA 10175] originally authorized law enforcers, “with due cause… to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system,”[39] until this provision, among others, was declared void for being unconstitutional by the Philippine Supreme Court in 2014.[40] Despite the nullification, however, this law still allows the interception[41] of communications and the disclosure[42] and preservation[43] of computer data[44], provided certain requirements are complied with. Under this law, the disclosure of computer data, that is, an order by law enforcement authorities requiring a person or service provider[45] to disclose or submit subscriber’s information[46], traffic data[47] or other data in his/its possession or control must be: (1) based on a court warrant secured for this purpose; (2) in relation to a valid complaint officially docketed and assigned for investigation; and (3) necessary and relevant for the purpose of investigation.[48] It must be pointed out, however, that there appears to be no provision for the requirements for the issunace of a court warrant.[49] On the other hand, RA 10175 requires the preservation of data (i.e. traffic data and subscriber information) for a minimum period of six months from the date of the transaction.[50] Similarly, content data[51] shall be preserved for six months from the receipt of an order from law enforcement authorities requiring its preservation.[52] The law also allows law enforcement authorities to order a one-time extension for another six months, except that once computer data stored by a service provider are used as evidence in a case, the mere furnishing to such service provider of the transmittal document to the Office of the Prosecutor shall be deemed a notification to preserve the computer data until the termination of the case.[53] Furthermore, the service provider ordered to preserve computer data is directed to keep the order and its compliance confidential.[54] Again, as in the court warrant, the law does not appear to state any prerequisites for the issuance of the aforementioned orders by law enforcement authorities. Finally, it is noted that the law’s implementing rules and regulations have yet to be issued by those jointly charged with such responsibility, namely, the ICT Office – Department of Science and Technology, the Department of Justice, and the Department of the Interior and Local Government.[55]

Checks and balances

In addition to the safeguards apparently built in the abovementioned laws, there are other laws and rules that can serve to counter or check the conduct of communications surveillance permitted by the foregoing.

The Rule on the Writ of Habeas Data [A.M. No. 08-1-16-SC] issued by the Supreme Court in 2008 provides the writ as a remedy available to persons whose right to privacy in life, liberty, or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting, or storage of data or information regarding his person, family, home, and/or correspondence.[56] The writ of habeas data basically enables people to find out what information is being collated about them by law enforcement agencies as well as by private entities, and the use and purpose of collecting it. The petitioner may then seek such reliefs as the updating, rectification, suppression, or destruction of the database or information or files kept by the erring party, or, in the case of threats, an order enjoining the act that is the subject of the complaint.[57]

Data protection

The Data Privacy Act of 2012 [RA 10173] (“DPA”) is another potential source of legal remedies against communications surveillance. It is not primarily concerned with communication privacy, let alone, communication surveillance, dealing, as it does, with data privacy which is a distinct category of privacy. However, the law includes in its scope privileged information, a term it defines as “any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.”[58] As a result, any Philippine legal regime purporting to govern communication privacy (and communication surveillance, by extension) must include the DPA as a component.

The DPA establishes the general rule that the processing[59] of privileged information (i.e., privileged communication) is a prohibited activity. It does, however, provide certain exceptions:[60]

when all the parties to the exchange have given their consent prior to the processing;

when the processing is authorized by existing laws and regulation, provided that:

the authorizing law/regulation guarantees the protection of the privileged information, and

the authorizing law/regulation itself does not require the consent of the parties to the exchange

when the processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, provided that all of the following conditions are present:

the processing is limited to the members of the public organization/association involved;

the sensitive personal information is not transferred to third parties; and

the consent of the data subject is secured

when the processing is necessary for purposes of medical treatment, which is carried out by a medical practitioner or a medical treatment institution, and the processing ensures an adequate level of protection

when the processing concerns sensitive personal information which is necessary for (a) the protection of lawful rights and interests of natural and legal persons in court proceedings, or (b) the establishment, exercise or defense of legal claims

when the sensitive personal information is to be provided to the government or a public authority

Notwithstanding these exceptions, the law does grant personal information controllers the ability to invoke the “principle of privileged communication” over the privileged information that they have in their lawful control or possession. Presumably, this would render the privileged information inadmissible as evidence in any court or legal proceeding wherein they may be presented.[61]

It is also important to note that the DPA expressly amends Section 7 of the Human Security Act which authorizes the surveillance of terrorism suspects (discussed above).[62]

POLICIES

Data retention

Data retention is most clearly outlined in the Implementing Rules and Regulations of the Electronic Commerce Act (2000). The original act is intended to provide for the “recognition and use of electronic commercial and non-commercial transactions and documents, penalties for unlawful use thereof and for other purposes”63 Section 20 of its Implementing Rules and Regulations64 outlines appropriate forms of data retention and the mandate of “relevant government agencies” to impose regulations on data retention:

“ (a) The requirement in any provision of law that certain documents be retained in their original form is satisfied by retaining them in the form of an electronic data message or electronic document which:

(i) Remains accessible so as to be usable for subsequent reference;

(ii) Is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to accurately represent the electronic data message or electronic document generated, sent or received; and,

(iii) Where applicable, enables the identification of its originator and addressee, as well as the determination of the date and the time it was sent or received.

(b) The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided that the conditions set forth in subparagraphs (i), (ii) and (iii) of paragraph (a) are met.

(c) Relevant government agencies tasked with enforcing or implementing applicable laws relating to the retention of certain documents may, by appropriate issuances, impose regulations to ensure the integrity, reliability of such documents and the proper implementation of Section 13 of the Act.”

As part of its regulatory function, the National Telecommunications Commission released a memorandum (MC 04-06-2007)65 in June 2007 on the data log retention of telecommunications traffic.66 Section 1 states:

“PTEs shall retain the call data records on voice calls and similar records for non-voice traffic. on-voice traffic includes SMS, MMS and other similar telecommunications services.”

Section 2 states:

“Records indicating traffic data on the origin, destination, date, time, and duration of communications shall be retained within the following periods:

a) two (2) months for non-metered services with fixed monthly charges; b) four (4) months for other telecommunications services not covered in (a); or c) until excused by NTC for records requested in connection with pending complaints.”

Identification and registration of subscribers

At the moment, there is no mandatory requirement to have SIM cards registered, except those of post-paid subscribers of telecommunication companies. There is, however, an ongoing effort to put up a more comprehensive system in place courtesy of a couple pending bills in Congress.

The House of Representatives has successfully passed (on third reading) House Bill No. 5231, which has the short title of “Subscriber Identity Module (SIM) Card Registration Act.”[67] If enacted into law, it requires the end user of a SIM card to verify his/her identity at the point of sale by presenting some proof of identification, including a photo.[68] A control numbered registration form will also have to be filled up.[69] In terms of proper safeguards, the bill requires every public telecommunications entity (PTE) to keep all subscriber data confidential, unless the release thereof is ordered by a competent court “upon finding of probable cause that a particular number is used in the commission of a crime or that it was utilized as a means to commit an unlawful act.”[70] However, it is remarkably silent whether the same set of controls applies to the National Telecommunications Commission (NTC), which is the government agency charged with its regulation, and to which a copy of all subscriber data is also provided.[71]

There is also a Senate version of this proposed measure[72] and it looks to be more onerous than its lower House counterpart, limiting as it does the ownership of SIM cards to three (3). Anyone owning more than that, must either discontinue or transfer ownership over to another. Those already owning pre-paid SIM cards prior to the passage of the bill must accomplish their registration within a very limited period of fifteen (15) days from the time they need to “reload” or “top-up” their card, or suffer deactivation. Fortunately, this bill has not seen any development since its filing last 4 March 2015.

ACTORS

Regulatory bodies
The National Telecommunications Commission is the telecommunications industry regulatory body. Its legal mandate[73]consists of the following:

regulation of the installation, operation and maintenance of radio stations both for private and public use;

regulation and supervision of the provision of public telecommunications services;

management of the radio spectrum; and

regulation and supervision of radio and television broadcast stations, cable televisions and pay television.

In pursuit of such agency objectives, it performs the following functions:[74]

Granting certificates of Public convenience and Necessity/Provisional Authority to install, operate and maintain telecommunications, broadcast and CATV services;

Granting licenses to install, operate and maintain radio stations;

Allocating/sub-allocating and assigning the use of radio frequencies;

Type-approving/type-accepting all radio communications, broadcast and customer premises equipment;

Conducting radio communications examination and issue radio operators certificate;

Preparing, planning and conducting studies for policy and regulatory purposes;

Monitoring the operation of all telecommunications and broadcast activities;

Performing such other telecommunications/broadcast-related activities as may be necessary in the interest of public service.

Communications Service Providers

There are two monopolies controlling the telecommunications industry in the Philippines, Globe Telecoms (Globe) and Smart/Philippine Long Distance Telephone (PLDT).75

Globe is the nation’s predominant phone service provider, with 65.5 million subscribers (of a total population of approximately 100 million persons), reported in October 2015. Smart, an operator fully owned by PLDT, has approximately 54.5 million subscribers.

Security and Law Enforcement Agencies

National Security Council

The National Security Council (NSC) is the lead agency of the government for coordinating the formulation of policies, relating to national security.[76] It was created through Executive Order No. 330 (s. 1950), and reorganized through Executive Order Nos. 115 (s. 1986), and 34 (s. 2001). Among other things, the Council advises the President on the integration of domestic, foreign, military, political, economic, social and educational policies relating to national security.[77]It also formulates government policies relating to national security and makes recommendations to the President regarding the same.[78] It has administrative supervision over the National Intelligence Coordinating Agency (NICA, discussed below), even as the latter may report directly to the President.[79] Apart from the NICA, the Council also provides guidance and direction to the operations of the Philippine Center on Transnational Crimes (PCTC), and coordinates, at the policy level, the fight against terrorism through the Anti-Terrorism Task Force.[80]

Office of the National Security Adviser (ONSA)

The National Security Adviser is also referred to as the National Security Director[81] or NSC Director General.[82] As a member of both the NSC and the Council’s Executive Committee, the NSA advises the President on matters pertaining to national security and, when directed by the President, shall see to the implementation of decisions or policies that have a bearing on national security, as adopted by the President or the Council.[83] The NSA is also a member of the Presidential Anti-Organized Crime Commission (PAOCC), by virtue of Executive Order No. 8 (s. 1998).[84]

In 2006, through Executive Order No. 492, the ONSA was accorded the “principal authority to oversee and supervise the implementation of a program to build up, integrate and employ reconnaissance and surveillance capabilities of civilian agencies and armed services”. It was also made “principal adviser on national reconnaissance and surveillance activities”.[85] For this purpose, the NSA was tasked to carry out “measures to coordinate inter-agency requirements and supervise the acquisition of reconnaissance and surveillance equipment, including but not limited to unmanned aerial vehicles (UAVs).[86] Accordingly, he was given the authority to coordinate the securing of funds necessary to acquire the required facilities and equipment.[87] The EO explicitly mandated the NSA to oversee the formulation of the terms of reference for the joint use of the UAVs, which shall enable the acquisition of the facilities and equipment by allocating the cost among the beneficiary agencies that will have actual use of such resources in their respective operations.[88]

Under the same EO, the Maritime Aerial Reconnaissance and Surveillance (MARS) Program was established.[89] The program is charged with the reconnaissance and surveillance of the country’s maritime zones and terrestrial/land areas, using “modern reconnaissance and surveillance systems”.[90] Its objective is “to enhance the national capability to gather near real-time video recording and information for decision-making needs”,[91] as well as to “provide law enforcement personnel and ground operators near real-time high accuracy, sustainable capability for reconnaissance and surveillance and dominant situational awareness to swiftly and effectively interdict when an illegal activity occurs”.[92] To facilitate the operations of the program, a National Maritime Aerial Reconnaissance and Surveillance Center (NMARSC) was established, through the efforts of the NICA.[93]As focal point for national reconnaissance and surveillance activities and operations, the NMARSC is under the supervision and control of the ONSA.[94]

In 2007, with the establishment of the National Security Clearance System for Government Personnel with Access to Classified Matters, the ONSA was charged with acting on the recommendations of the NICA as to who shall be granted security clearances.[95] Decisions by the ONSA in this regard may be appealed to the Office of the President.[96]

National Intelligence Coordinating Agency (NICA)

The National Intelligence Coordinating Agency (NICA) functions under the Office of the President, and is under the administrative supervision of the National Security Adviser.[97] Originally created in 1949 under then President Elpidio Quirino,[98] its current mandate is to be “the focal point for the direction, coordination and integration of government activities involving intelligence, and the preparation of intelligence estimates of local and foreign situations for the formulation of national policies by the President”[99].

In 2002, it was reorganized by then President Gloria Macapagal-Arroyo through Executive Order No. 69. The following year, its role and authority was further strengthened when, through Administrative Order No. 68, its Director General (DG-NICA) was assigned as principal adviser to the President on Intelligence.[100]The DG was also tasked to establish the Directorate for Counterintelligence, which now serves as the focal point for the national government’s counterintelligence activities and operations. Three other offices were also created to further assist the NICA in its mandate:

the National Intelligence Committee, which serves as an advisory board to the DG;[101]

the Counter-Terrorism Intelligence Center, a multi-agency body under the direct control of the DG, which provides “over-all coordination in the conduct of intelligence operations to facilitate gathering, processing, disseminating and sharing of intelligence on terrorism, especially on international terrorism”;[102] and

Area Counter-Terrorism Intelligence Centers (Area CTICs), which are principally tasked to “capture and fuse at the operational and tactical levels the intelligence outputs, with emphasis on domestic and international terrorism, of all intelligence agencies— civil, military and police—in their respective areas of operations”.[103]

The NICA may detail “liaison officers” to other government offices both inside and outside the country.[104] In fact, as regards its foreign liaison program, it coordinates the same with other government agencies that regularly post representatives overseas.[105] At the same time, through its DG, it is also expected to establish and strengthen liaison work between the agency and its foreign counterpart intelligence and security organizations.[106]

In 2006, the NICA was designated as the technical operator of the Maritime Aerial Reconnaissance and Surveillance (MARS) Program.[107] This authorized the Agency to “procure UAVs or enter into lease agreements governing such vehicles”.[108]

The following year, the NICA was tasked to formulate the Implementing Rules and Regulations of Executive Order No. 608, which provided for the establishment of a national security clearance system for all government personnel with access to classified materials. Under the EO, the Agency was tasked to receive the names of personnel granted by their respective agencies Interim Security Clearances.[109]From the list of names, it was expected to recommend to the ONSA who among the individuals shall ultimately be given Security Clearances.[110] For this purpose, the Agency was authorized to conduct further background investigation on the personnel involved, on its own or by acting upon a request.[111]

In 2011, The DG of the NICA was made a member of the Presidential Anti-Organized Crime Commission (PAOCC), by virtue of EO No. 46 (s. 2011), which amended EO No. 799 (s. 2009).[112]

National Intelligence Committee (NIC)

The NIC is an advisory body to the DG-NICA for the “coordination, integration and fusion of all intelligence activities relating to the preparation of the National Intelligence Estimate (NIE) and in addressing other issues of national intelligence concern”.[113]

With the DG-NICA as Chair, its membership include: (1) Undersecretary for Policy, Department of Foreign Affairs; (2) Director, National Bureau of Investigation; (3) Commissioner, Bureau of Customs; (4) Commissioner, Bureau of Immigration; (5) Deputy Chief of Staff for Intelligence, J2, Armed Forces of the Philippines; (6) Director for Intelligence, Philippine National Police; and the (7) Commanding Officer, Presidential Security Group.[114]

The NICA is assisted by Regional Intelligence Committees (RICs), whose mandate is to coordinate the efforts of all government intelligence units and agencies at the regional and local levels to ensure the integration and fusion of all information of national intelligence concern gathered at the aforesaid levels.

National Intelligence Board (NIB)

The NIB is another advisory body to the DG-NICA for the coordination and integration of intelligence activities in the Government.[115] Its members are appointed by the President, although the National Security Director/Adviser may sit in all meetings of the Board.[116] Through Administrative Order No. 217 (s. 1991), the membership of the NIB was expanded to include twelve (12) civilian agencies and seven (7) military offices.[117]

As in the case of the NIC, the DG-NICA is also the Chairperson of the NIB.[118] The presence of the National Security Adviser/Director in all meetings of the Board is mandatory.[119]

In relation to the NIC, the Board shall utilize the NIC as its principal arm for purposes of “providing direction and control of intelligence operations and activities of NIB members, departments, agencies, and offices.[120]

Intelligence Service, Armed Forces of the Philippines (ISAFP)

The ISAFP is one of the AFP-Wide Support and Separate Units (AFP-WSSU).

Police Intelligence Group (Operational Support Unit) Philippine National Police

The Police Intelligence Unit is one of several operational support units of the PNP.[121][122] Headed by a Director with a rank of chief superintendent, the PIU serves as the intelligence and counterintelligence operating unit of the PNP.[123] According to at least two news reports, this unit (specifically, its counter-intelligence component) is also charged with providing physical security to police camps, as well as official documents of the PNP.[124] It also monitors the illegal activities of certain police officers.[125]

Philippine National Police

The Anti-Cybercrime Group (ACG) was activated in March 2013, pursuant to Section 10 of the Cybercrime Prevention Act, which provides that the PNP, along with the National Bureau of Investigation (NBI), shall “organize a cybercrime unit or center manned by special investigators to exclusively handle cases involving violations” of the law. Today, it serves as the primary police unit responsible for the implementation of pertinent laws on cybercrimes and anti-cybercrime campaigns of the PNP and the national government. The Group focuses on cybercrime offenses, computer-related offenses, and other content-related offenses such as cybersex, child pornography, unsolicited commercial communication, and other related offenses.[126]

Office of the Deputy Director for Intelligence Services, National Bureau of Investigation

The CCD falls under the Office of the Deputy Director for Investigation Services.[128]Presumably, the establishment of this division was also brought about by the need to comply with Sec. 10 of the Cybercrime Prevention Act.

A “New Agency”

In April 2014, some reports revealed a purported plan by the government to create a new intelligence agency akin to that of the U.S. Defense Intelligence Agency.[129] This new spy institution will supposedly incorporate the ISAFP, effectively making the unit an integral part of the defense department. It will engage in the “gathering and analysis of security-related foreign, domestic, political and economic, industrial, geographic, military and civilian intelligence data.”[130] Sources privy to the matter have recently indicated that this plan has been scuttled because of fundamental differences between the merging institutions.

EXAMPLES OF SURVEILLANCE

The most controversial case of communications surveillance in the Philippines to date is the “Hello Garci” scandal which involved former President Gloria-Macapagal Arroyo and one election commissioner. The wiretapped conversation concerned an electoral fraud in favor of Arroyo which was purportedly committed during the 2004 Presidential Elections.

The source of the copy of the wiretapped conversation never became clear. Several personalities, both from the administration and the opposition, presented their own copy of the record but no one claimed actual ownership. An agent of the Intelligence Service of the Armed Forces of the Philippines (ISAFP) admitted his involvement in the surveillance operation dubbed “Project Lighthouse” and pointed the Military Intelligence Group 21 of the AFP as the unit that carried out the activity. An employee of a local telecommunications company was also implicated in the wiretapping. However, the company denied its knowledge of the operation.

Another former President became subject to at least two surveillance-related incidents. In 1986, during her visit to the U.S., Corazon Aquino’s conversation with two Cabinet members regarding the impact of the new constitution was recorded.[131] The conversation reflected the concerns of the administration regarding the impact of the ban of nuclear weapons on the existence of U.S. military bases in the country. [132] The transcript of the recording was leaked by an opposition days before the ratification of the new constitution.

The second incident was in 2007 wherein a surveillance equipment was found near her private residence.[133] The police and again, the ISAFP and another telco employee were implicated in the illegal activity, but they denied their involvement. No clear reason was given for the intercept. [4]

Another confirmed wiretapping incident occurred in 2008, when the phone conversation between two witnesses to a graft-laden, albeit botched, government project with China was captured on record.[5] While no one admitted to carrying out the surveillance operation, a copy of the recording wound up in the hands of the chairman of the elections commission, who was then being implicated in the controversial project.[6] The witnesses accused the official of attempting to dissuade them from testifying by threatening to make public their private conversation.[7] As they went ahead with their exposé, the recording ended up being posted online in YouTube.

Guillermo Luz, a prominent business executive and a known critic of the administration, filed petitions for the writs of Habeas Data and Amparo with the Supreme Court in order to stop the government from conducting state-sponsored military surveillance he believed he was then subject to. His cases were granted but brought to the appellate court for hearing. [8] The case closed after the AFP declared that he was not under any surveillance or case-building activity. [9]

Other reported cases of wiretapping were false alarms. In one case, a legislator was accused of having violated the law after recording an executive session of a Congressional committee.[10] In another, a government executive filed charges against a well-known Filipino journalist for allegedly recording their phone conversation sans her consent.[11] Both incidents were eventually resolved, with no case being filed against the legislator, while that filed against the journalist was later dropped, after prior consent of the complainant was properly established.

TECHNOLOGIES

Biometric data

In 2015, FMA reported142 that the Philippines government was considering adopting PISCES, a US-government developed biometric identification technology at its border points including the airport in Manila, according to a document acquired by privacy activists. PISCES is an acronym for Personal Identification Secure Comparison and Evaluation System, a customizable software application that provides border control officials with information that allows them to identify and detain or track individuals of interest.143 The system can be used to quickly retrieve information on persons entering or leaving the country.

The US introduced the software in 1997 through its Terrorist Interdiction Program (TIP) “a highly effective, low-cost proven tool in the global fight against terrorism…. (which) …provides participant countries with the ability to collect, compare and analyze traveler data to assist the country in securing its borders and, if necessary, detain individuals of interest”.144

In 2004, a local paper quoted a Bureau of Immigration officer stationed at the Ninoy Aquino International Airport (NAIA) as he remarked about an impending upgrade of the PISCES program they were then using in that facility.145 it is likely that the 2015 document represents an upgrade on an existing capacity.

IMSI catchers

In April 2014, The Tribune reported that the Philippine government Department of National Defense (DND) had acquired a 135 million peso (US$ 3.4 million) surveillance equipment surfaced.146 Supposedly covered by a 26 October 2011 purchase request, the device was described as a “Radio Frequency Test Equipment” (RFTE) provided by Rohde & Schwarz (R&S), an electronic surveillance company based in Germany. Rohde & Schwarz specializes in military and dual-use equipment, including spectrum analysers and encrupted communications systems.

According to media reports, the equipment would have the capability to hone in on and intercept calls and text messages sent within a 500-metre radius of the device.147 The revelation prompted concerns by opposition groups that the government would use the technology to spy on them. The government denied these claims.148

According to documents obtained by Privacy International, a UK-based company sought two export licenses for “telecommunications interception equipment”, most likely for IMSI catchers, to the Philippines in 2015. An IMSI Catcher is a phone monitoring kit that provides active intercept capabilities. Traditionally, IMSI Catchers (or Stingrays as they are known in the US) can capture a number of different pieces of identifiable information including the IMEI and the IMSI: identifiers for your phone and SIM card respectively. IMSI Catchers can also record voice and message data as they travel through mobile networks.149

Intrusion malware

The Philippines government reportedly sought to an intrusion malware tool, the Remote Control System, from Italian surveillance company Hacking Team. RCS is used to monitor a particular device through the direct installation of a malicious program on a target’s device, usually by way of fallacious updates, fake websites, or false documents that a target is encouraged to download, inadvertently allowing the RCS tool to infect his or her device.

Documents leaked from Hacking Team in 2015 revealed a significant amount of interest from several parties purporting to represent different agencies of the Philippine government.

On 13 March 2011, an individual claiming to belong to the National Bureau of Investigation’s (NBI) Cyber Center, working under of the Office of the Director, reached out to the company seeking a proposed solution to a potential “cyber attack offensive”, similar to what was then a common occurrence in Australia.150 Hacking Team responded to this request by outlining the salient features of the RCS.

FMA reported that in January 2013, an individual named “Gadburt Mercado” began communicating with Daniel Maglietta, Chief of HT’s Singapore Representative Office, to set up a product demonstration meeting between HT executives and Mr. Mercado’s supposed principal, Col. Manuel Lucban, Chief of Police of Makati City.151 Spanning a period of more than a year, the email thread suggests that no actual meeting took place during such time due to the conflicting schedules of the parties.

In March 2015, a person claiming to be an officer of the Intelligence Services of the Armed Forces of the Philippines (ISAFP) relayed his unit’s interest in the capabilities of HT’s Galileo Remote Control System. He requested additional information from the company, as well as a product demonstration.152

Social media analysis

In 2015, FMA reported that the Philippines government was considering adopting Signal, a New-Zealand manufactured software for large-scale social media analysis, as part of their emergency management and policing capacities.153 Initially developed by the New Zealand Police as part of its security measures during the Rugby World Cup hosted by the country in 2011, the application later underwent significant enhancements, owing to the Police’s subsequent partnership with Intergen and Microsoft. Among others, all information gathered by the application are now funneled into a single platform known as Real-Time Intelligence for Operational Deployment (RIOD). This platform is based on Microsoft SharePoint154 and allows for improved collaboration, process optimization and information discovery. Meanwhile, the Microsoft Azure cloud platform is used to secure real-time intelligence and provide situational awareness on specific incidents.

US government surveillance

The US government conducts extensive surveillance activities in and around the Philippines that it justifies in part in relation to its activities against Islamist militant groups in the “war on terror”. These include joint military exercises with the Philippine military. A downed US military surveillance drone was discovered in the Philippines’ restive Quezon province in early 2015, according to the Philippines Daily Inquirer. The embassy responded that the drone was an “expended” aerial target launched during military exercises,during September 2014 off the coast of Guam.155

The US has also been conducting large-scale interception of communications in and out of the Philippines. Documents released by Edward Snowden in May 2014 show that the US’ National Security Agency (NSA) had “access via DSD asset in a Philippine provider site. Collects Philippine GSM, short message service (SMS) and Call Detail Records.” This, the NSA predicted “[w]ill soon become a source of lucrative intelligence for terrorist activities in Southern Philippines.”156 The 2013 project. codenamed MYSTIC, involved the interception of interception of large amounts of the communications of five countries, including the Philippines, from undersea cables.157

[41]Interception refers to listening to, recording, monitoring or surveillance of the content of communications, including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring. [Sec. 3(m), RA 10175]

Older Posts

Related Posts

This article was originally posted at GMA News Online A little over two years ago, in the run-up to the 2016 national elections, a massive data breach earned the Philippines an unenviable place in the global Read more…

Yesterday, February 5, we at FMA released a briefing paper on Mandatory SIM Card Registration. We believe that the release is timely, as proposals for a national SIM card registry have been making significant strides Read more…

Popular ride-hailing app Uber recently admitted concealing a massive data breach in 2016 that affected up to 57 million of its users (drivers and riders), including Filipinos. While its full extent remains unclear today, the Read more…

About FMA

FMA is a nonprofit NGO in the Philippines seeking to democratize information and communication systems for citizens and communities.